Decision of the European Court of Justice: Data Transfer to the U.S. Can No Longer Be Based on the EU-U.S. Privacy Shield Framework

1. The Decision

On July 16, 2020 in the case known as Schrems II (C-3111/18), the European Court of Justice (“ECJ”) adopted a decision concerning two important aspects of transferring personal data to third countries from the EU:

1. the ECJ declared that the decision of the European Commission acknowledging the adequacy of the so called EU-U.S. Privacy Shield Framework is invalid; and
2. confirmed that the Commission’s decision on the standard contractual clauses for the transfer of personal data to processors established in third countries remains valid, and therefore can still serve as the lawful basis for data transfer(s) outside the EU.

2. Background

As per the regulations contained in Chapter V of the GDPR, data transfer(s) to countries outside the European Economic Area (“EEA”) can only take place if both the data exporter and the recipient can ensure that the level of protection of the data subject’s personal data is at least on par with the safeguards granted by the GDPR.

Chapter V offers multiple ways for data controllers (and processors) to comply with these requirements. One way to accomplish this, and presumably the most common one, is the data controllers’ right to rely on the so-called “adequacy decisions” issued by the European Commission, declaring that a country (or certain parts of it) provides an adequate level of protection. This means that if a country/international organization is – by way of the Commission’s decision – listed as a “safe country”, no further steps regarding authorization or additional safety measures are required.

In regards to data transfer to the U.S. - between 2016 and July 16, 2020 (the date of the ECJ’s decision is referenced here), the Privacy Shield Framework and its corresponding acknowledgement by the Commission of the EU served as the primary legal basis for a number of data controllers and data processors regarding the transfer of personal data to the United States. 

3. The Invalidation of the Privacy Shield Decision

Based on the Schrems II decision, it is no longer possible to base the transfer of personal data to the U.S. on Article 45 of the GDPR as of July 16, 2020 - as the underlying “adequacy decision” has been declared invalid. Data controllers will have to seek an alternative legal basis to ensure that they are able to lawfully transfer personal data in the future.

As an example, these alternate methods include the use of “appropriate safeguards” (Article 46 of the GDPR) such as the employment of standard data protection clauses (“SDPCs”) as reinforced by the same decision or binding corporate rules (“BCRs”).

It must also be noted however, that although compliance with the Privacy Shield Framework can no longer serve as lawful basis of data transfer, the ECJ’s current decision does not relieve participants in the Privacy Shield of their obligations undertaken under the framework. Based on the information provided by the U.S. Department of Commerce on the Privacy Shield website, the later will continue to administer the Privacy Shield program and maintain the Privacy Shield List.

4. The Status of SDPCs

The new ECJ ruling declares that SDPCs remain a valid basis for the transfer of data to third countries due to the fact, among others, that:

“[the original] decision [on SDPCs] imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.” (ECJ Press Release No 91/20 p. 3)

If a data controller wishes to rely on the use of SDPCs, they are required to conduct a prior assessment regarding the “GDPR compliance” level of the intended recipient(s). The process of basing a transfer solely on SDPCs is not automatically a transfer that is lawful, as opposed to a data controller’s previous reliance on the Privacy Shield.

5. BCRs and Other Basis for Transfers

The ECJ ruling does not specifically concern itself with the question of BCRs, therefore the transfer of data to the U.S. can still be based on previously approved BCRs as well as the special circumstances set forth in Article 49 of the GDPR (for example the explicit consent of the data subject or the necessity pertaining to the performance of a contract).

6. Future Prospective

As with the invalidation of the Safe Harbor Agreement (the predecessor of the Privacy Shield) in 2015, it is likely that the EU and the U.S. will begin talks to formulate a new framework which will address the issues (such as the right of access that certain US agencies have to personal data originating from the EU and the lack of corresponding guarantees) set forth in the newly adopted decision of the ECJ, but until such an agreement can be worked out and approved by the European Commission, all data controllers previously relying on the corresponding adequacy decision, will have to review their former practice and a find a new basis for any transfer of personal data directed towards the U.S.